OCR GCSE Network Security: Threats, Vulnerabilities & Mitigation
Cybersecurity underpins almost every OCR GCSE Computer Science scenario. Whether the paper discusses school networks, cloud backups, or software deployment, you are expected to evaluate threats, vulnerabilities, and mitigation strategies. This guide blends theory with practice, linking to our networking revision for context on hardware defences and the impacts of computing article when privacy and legal compliance questions arise.
Threats, Vulnerabilities, and Controls
OCR categorises threats into malicious intent (malware, hacking, social engineering), accidental damage, and environmental factors. Vulnerabilities include outdated software, weak authentication, unsecured Wi-Fi, and insider misuse. Controls span technical measures (firewalls, encryption), procedural steps (policies, training), and physical safeguards (locks, CCTV). For higher-mark responses, tie each threat to a vulnerability and propose layered defences. Reference legislation – the Computer Misuse Act 1990 and the Data Protection Act 2018 – to demonstrate awareness of legal ramifications.
Key Exam Points
- Define malware types clearly: viruses replicate by attaching to files, worms self-replicate across networks, Trojans disguise themselves as legitimate software, ransomware encrypts data for ransom, and spyware records user activity.
- Describe social engineering tactics such as phishing, pretexting, and shouldering, and explain how user education mitigates them.
- Explain the purpose of firewalls (filter traffic based on rules), intrusion detection systems (monitor for suspicious activity), and intrusion prevention systems (block malicious packets in real time).
- Discuss authentication methods: strong passwords, multi-factor authentication, biometrics, and access control lists.
- Demonstrate knowledge of encryption (symmetric vs asymmetric keys) and how TLS secures web traffic.
- Reference network policies: acceptable use policies, regular backups, patch management schedules, and disaster recovery plans.
- Include physical security measures – secure server rooms, visitor logs, cable locks – as part of defence in depth.
- Highlight the importance of testing incident response through drills and simulations.
Securing Real Scenarios
Examiners often present a case study: for example, a college migrating to cloud storage or a medical clinic rolling out tablets. Identify data sensitivity, regulatory requirements, and potential attack vectors. For cloud services, discuss provider responsibilities versus client responsibilities (shared responsibility model). Mention encryption at rest and in transit, robust authentication, and auditing capabilities. When answering evaluation questions, weigh cost, usability, and effectiveness. Link to programming topics – secure coding principles from our Python fundamentals guide help justify why input validation stops injection attacks.
Risk assessment may include likelihood and impact calculations. Use ordinal scales (e.g. high, medium, low) or simple quantitative values, then prioritise controls accordingly. Demonstrate knowledge of backup strategies (full, incremental, differential) and describe the 3-2-1 rule. When presenting policies, quote specific examples: “Enforce 12-character passwords rotated every 90 days” or “Schedule monthly vulnerability scans.” Specificity earns credit.
Security Frameworks and Standards
Referencing recognised frameworks strengthens evaluation answers. Mention ISO/IEC 27001 for information security management, Cyber Essentials for UK organisations, and NIST Cybersecurity Framework functions (Identify, Protect, Detect, Respond, Recover). Explain how policies map to these frameworks – for example, regular patching fulfils “Protect”, while incident response drills support “Respond”. Connecting to standards demonstrates awareness of industry practice and elevates your analysis.
Revision Routine & Practice Tasks
Build a weekly cycle that rotates terminology flashcards, scenario writing, and quick-fire quizzes. One day, summarise a breach headline and map it to the CIA triad (Confidentiality, Integrity, Availability). Another day, draft a mini policy for a fictional company, citing tools such as SIEM monitoring or zero trust access. Finish the week with an 8-marker response in timed conditions, reviewing it against the mark scheme to identify gaps. Linking these tasks to the networking article reinforces how secure design begins with resilient infrastructure.
Example Question & Answer
Question: An e-learning company plans to let students upload coursework to a web portal. Identify two likely security threats and discuss how the company can mitigate each threat while keeping the system user-friendly (6 marks).
Model answer: One threat is SQL injection if form inputs are not validated. Mitigation includes parameterised queries and server-side validation, which prevents malicious statements being executed while remaining invisible to the user. Another threat is credential stuffing, where attackers reuse stolen passwords. Mitigation involves enforcing multi-factor authentication and implementing rate limiting on login attempts. MFA provides a second factor while rate limiting stops brute-force attacks without significantly affecting legitimate learners.
Common Mistakes & Tips
- Writing “install antivirus” without explaining how real-time scanning or signature updates prevent specific malware behaviours.
- Ignoring insider threats such as disgruntled employees with privileged access.
- Using vague phrases like “train staff” without detailing what training covers (recognising phishing, reporting procedures).
- Confusing encryption with hashing; clarify that hashing is one-way and used for password storage.
- Omitting legal references; cite the Computer Misuse Act or GDPR to strengthen evaluation responses.
- Failing to test business continuity plans; mention backups should be regularly restored to ensure integrity.
- Forgetting network segmentation, VLANs, or DMZs when discussing defence-in-depth strategies.
Further Practice
Link to relevant site pages: